I use revision control systems for almost all of my software development, deployment, and server configuration. When using Subversion there is, technically, no difference between a working copy on my personal or development machines vs. a working copy on a production server. (Yes, you need a working copy on the production server, because exports cannot be updated that easily.) However, modifications of the checked out code or config files on a production server can cause problems with the next round of updates. Sometimes you just don’t notice that there are conflicts that need to be resolved.

To make sure I notice when a colleague or I have fallen back into the bad habit of changing things on a production server directly, rather than checking in changes to the repository, I have created a Nagios Plugin: it’s called “check_svnstatus”

Installation and Configuration

Copy check_svnstatus.sh to your Nagios plugins directory. Usually this will be /usr/lib/nagios/plugins or /usr/local/nagios/libexec but your environment may be different. The plugin needs to be copied to the same server as your working copy, i.e. if you’re watching working copies on different servers you need the plugin on all of those servers.

Make check_svnstatus.sh executable:

chmod +x check_svnstatus.sh

You can test the plugin now by manually invoking it:

/path/to/check_svnstatus.sh -d /your/working-copy

You should see “OK: working copy at /your/working-copy is unmodified”, but “CRITICAL: working copy at /your/working-copy contains modifications” would also be OK for the moment; you can clean up later.

Now we need this to be run from Nagios… Things will be slightly different depending on whether your working copy resides on the same server as Nagios or on a different server. Lets start with a local working copy, i.e. one that’s on the same server as your Nagios install.

First you need a Nagios command. If you’re still using a modified version of the sample configuration files (nothing wrong with that!) append this to commands.cfg:

Reload the Nagios configuration (or, if you get the hint: check in the config changes to your Subversion repository, then run svn update on the config directory on your Nagios server, then run something like service nagios reload) and Nagios will schedule the first check of your working copy… Things will be very straightforward and self-explaining from here.

Now if your working copy is on a different server than your Nagios install, you need a method to invoke the plugin remotely. There are various methods for doing so, and there tend to be lengthier discussions about the pros and cons, but please keep in mind that this post is not about remote invocation methods. For this example I’ll be using check_by_ssh but NRPE or other methods will work as well. If you’re unfamiliar with remote invocation and/or you’ve never run “check_by_ssh” before you should get this sorted out first, e.g. by reading this post on TechRepublic.

The following example relies on “check_by_ssh” and thus requires additional configuration which is not covered in this article!

Once again: reload the Nagios configuration and Nagios will schedule the first check of your working copy… Things will be as straightforward and self-explaining as they were for a local working copy.

By the way: You can also call this a poor-man’s IDS as it will trigger alerts when someone exploits your website and drops or alters PHP or other files in your htdocs directory (if you’re using Subversion to deploy).

Oh, and think about this: It might be good idea to put your Nagios configuration in a Subversion repository. Whether or not you end up monitoring the working copy on the Nagios server.

Additional reading

If you’ve been scratching your head over the “deployment” remark in my opening sentence you might want to follow these links:

Links

Recent Posts

This blog is about Information Technology (technical) issues, tips and tricks I find worth sharing with the world. It’s also the home base for all of my open source projects. If you want to support me financially, please go to the Donations page. For moral support please leave a comment, or follow me on Twitter or Facebook: